1. Technical Field
The present invention relates to a network encryption system, and particularly to a network encryption system for encrypting or decrypting user data at every data frame or data packet by using a general random number generator in different ways.
2. Background
Generally, a network encryption apparatus uses a block encryption algorithm like a DES(Data Encryption Standard) in US because a data packet or a data frame requiring a limited data size is inputted as a unit.
A block encryption algorithm is an encryption method for making it impossible to decrypt data having a fixed length by changing the data with use of an encrypting key according to predetermined rules and tables. For decrypting the data, the predetermined rules and the tables are used inversely by using the decrypting key. Accordingly, the block encryption algorithm is suitable for encrypting the data having a fixed length discontinuously and repeatedly.
But, because it is difficult to design the block encryption algorithm, the number of the verified algorithm is limited. Actually, the algorithm for export has a low security level and it is exported to other countries except US. That""s why the other countries except US may not encrypt information to such a desired level because of having a lower security level than US""s even though having the encryption apparatus.
FIG. 1A shows a flowchart indicating an encryption method of a network encryption apparatus using a conventional block encryption algorithm. FIG. 1B shows a flowchart indicating a decryption method of a network encryption apparatus using a conventional block decryption algorithm.
Referring to FIGS. 1A and 1B, the network encryption apparatus using a conventional block encryption/or decryption algorithm divides a received data frame or a data packet into 64 bit units, in case of using a 64 bit-block encryption/or decryption algorithm. And then, the apparatus encrypts or decrypts the divided data through encryption/or decryption algorithm by using a predetermined 64 bit-encrypting/or decrypting key, respectively.
In case that the data frame or the data packet is shorter than 64 bits, encryption is processed after inserting xe2x80x9c0xe2x80x9d as many as required to make 64 bits. And the decryption is processed after erasing xe2x80x9c0xe2x80x9d as many as inserted during encrypting. Consequently, the data size before encryption is the same as one after decryption.
The network encryption apparatus using the conventional block encryption algorithm is operated as described below. After receiving the data frame or the data packet from a DTE(Data Terminal Equipment) receiving terminal, the data frame or the data packet is stored in the DTE receiving buffer. A protocol header of the data frame or the data packet stored in the DTE receiving buffer is copied in the DCE(Data Circuit-terminating Equipment) sending buffer.
And then, user data of the data frame or the data packet stored in the DTE receiving buffer is block-encrypted by using a 64 bit-encrypting key into every 64 bits. In case that it is shorter than 64 bits, the data frame or the data packet is block-encrypted after inserting xe2x80x9c0xe2x80x9d, so called Zero Padding, as many as required to make 64 bits. And the block-encrypted 64 bit encrypting data is stored in the DCE sending buffer. The data frame or the data packet stored in the DCE sending buffer is sent to a DCE sending terminal.
Contrarily, for decrypting data the data frame or the data packet is stored in the DCE receiving buffer after receiving the data frame or the data packet from the DCE receiving terminal. And then a protocol header of the data frame or the data packet stored in the DCE receiving buffer is copied in the DTE sending buffer.
And user data of the data frame or the data packet stored in the DCE receiving buffer is block-decrypted by using the 64 bit-decrypting key into every 64 bits. The block-decrypted, 64 bit data is stored in the DTE sending buffer. The inserted xe2x80x9c0xe2x80x9d is erased in case that the data frame or the data packet is shorter than 64 bits. Therefore, the data is stored in the DTE sending buffer by being made into 64 bit-data frame or packet.
The data having a fixed length is encrypted/and decrypted in encryption and decryption method of the network encryption apparatus using the conventional block encryption/and decryption algorithm. Therefore, it should have zero padding process in case that the data size is smaller than the block size and padded, xe2x80x9c0xe2x80x9d should be erased after decryption.
In addition, hardware elements employing the block encryption algorithm are supplied with a lowered security level because of exporting limitation of US, and it is difficult to verify the security level with the block algorithm.
Accordingly, in order to solve the problems in the prior art it is an object of the present invention to provide network encryption system, particularly, for encrypting or decrypting user data at every data frame or data packet by using a general random number generator in different ways.
One embodiment to achieve above object is to provide a network encryption apparatus, comprising encrypting means for generating random numbers by using a part of user data discriminated from data frame or data packet and encrypting the user data by logical operation with the random numbers, and decrypting means for generating random numbers by using a part of decrypted user data and decrypting the user data by logical operation with random numbers.
Another embodiment to achieve above object is to provide a network encryption apparatus, comprising encrypting means for generating random numbers at every data frame or data packet by using a part of user data discriminated from the data frame or the data packet and encrypting the user data by logical operation of the part of the user data with the random numbers, and of remaining part of the user data with an encrypting key having a fixed length, and decrypting means for decrypting part of user data discriminated from the data frame or the data packet by logical operation with a decrypting key having a fixed length, generating random numbers by using the part of the decrypted user data and decrypting the user data by logical operation with the random numbers.
The other embodiment to achieve above object is to provide a network encryption method, comprising encrypting process of generating random numbers by using a part of user data discriminated from data frame or data packet and encrypting the user data by logical operation with the random numbers, and decrypting process of generating random numbers by using a part of decrypted user data and decrypting the user data by logical operation with the random numbers.